Malicious code propagation and antivirus software updates

Friday, 4 July 2003, 9:46 AM EST

Recent reports to the CERT/CC have highlighted two chronic problems:

The speed at which viruses are spreading is increasing. This echoes the trend toward faster propagation rates seen in the past few years in self-propagating malicious code (i.e., worms). Beginning with the Code Red worm (CA-2001-19, CA-2001-23) in 2001 up through the Slammer worm (CA-2003-04) earlier this year, we have seen worm propagation times drop from hours to minutes.

A similar trend from weeks to hours has emerged in the virus (i.e., non-self-propagating malicious code) arena. The effectiveness of antivirus software suffers as a result. Several recent malicious code incidents involving variants of W32/BugBear and W32/Sobig have achieved widespread propagation at rates significantly faster than many previous viruses. This increased speed is, unfortunately, also faster than many antivirus signatures can be identified and updated, regardless of the update method (including automated signature updates). The CERT/CC has received reports of successful W32/Sobig.E compromises from users whose signatures were up to date for the prior versions of W32/Sobig.

Signature-based antivirus software is not the only type of antivirus software at risk: antivirus software that uses heuristics to determine malicious behavior may be circumvented by malicious code that employ new techniques. They should not be unconditionally trusted either, as they may not always block malicious code from executing. Additionally, we are aware of instances where corrupted antivirus software updates have caused the software to be disabled without the user's knowledge.

In a number of the reports, users who were compromised may have been under the incorrect impression that merely having antivirus software installed was enough to protect them from all malicious code attacks. This is simply a mistaken assumption, and users must always exercise caution when handling email attachments or other code or data from untrustworthy sources.

Spotlight

Microsoft Edge, the new browser in Windows 10, represents a significant increase in the security over Internet Explorer. However, there are also new potential threat vectors that arenít present in older versions.

35 percent of employees would sell information on company patents, financial records and customer credit card details if the price was right. This illustrates the growing importance for organizations to deploy data loss prevention strategies.

Sun Tzu's writings have been studied throughout the ages by professional militaries and can used to not only answer the question of whether or not we are in a cyberwar, but how one can fight a cyber-battle.

Infosec consultant Paul Moore came up with a working solution to thwart a type of behavioral profiling. The result is a Chrome extension called Keyboard Privacy, which prevents profiling of users by the way they type by randomizing the rate at which characters reach the DOM.